Title: [170386] trunk/Source/_javascript_Core
- Revision
- 170386
- Author
- mhahnenb...@apple.com
- Date
- 2014-06-24 13:29:27 -0700 (Tue, 24 Jun 2014)
Log Message
REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
https://bugs.webkit.org/show_bug.cgi?id=134046
Reviewed by Filip Pizlo.
* runtime/GetterSetter.h:
(JSC::asGetterSetter):
* runtime/JSObject.cpp:
(JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (170385 => 170386)
--- trunk/Source/_javascript_Core/ChangeLog 2014-06-24 20:18:15 UTC (rev 170385)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-06-24 20:29:27 UTC (rev 170386)
@@ -1,3 +1,17 @@
+2014-06-24 Mark Hahnenberg <mhahnenb...@apple.com>
+
+ REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
+ https://bugs.webkit.org/show_bug.cgi?id=134046
+
+ Reviewed by Filip Pizlo.
+
+ * runtime/GetterSetter.h:
+ (JSC::asGetterSetter):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
+ a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
+ and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
+
2014-06-24 Brent Fulgham <bfulg...@apple.com>
[Win] MSVC mishandles enums in bitfields
Modified: trunk/Source/_javascript_Core/runtime/GetterSetter.h (170385 => 170386)
--- trunk/Source/_javascript_Core/runtime/GetterSetter.h 2014-06-24 20:18:15 UTC (rev 170385)
+++ trunk/Source/_javascript_Core/runtime/GetterSetter.h 2014-06-24 20:29:27 UTC (rev 170386)
@@ -85,7 +85,7 @@
inline GetterSetter* asGetterSetter(JSValue value)
{
- ASSERT(value.asCell()->isGetterSetter());
+ ASSERT_WITH_SECURITY_IMPLICATION(value.asCell()->isGetterSetter());
return static_cast<GetterSetter*>(value.asCell());
}
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (170385 => 170386)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2014-06-24 20:18:15 UTC (rev 170385)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2014-06-24 20:29:27 UTC (rev 170386)
@@ -2646,11 +2646,22 @@
exec->vm().throwException(exec, createTypeError(exec, ASCIILiteral("Attempting to change the getter of an unconfigurable property.")));
return false;
}
+ if (current.attributes() & CustomAccessor) {
+ if (throwException)
+ exec->vm().throwException(exec, createTypeError(exec, ASCIILiteral("Attempting to change access mechanism for an unconfigurable property.")));
+ return false;
+ }
}
JSValue accessor = getDirect(exec->vm(), propertyName);
if (!accessor)
return false;
- GetterSetter* getterSetter = asGetterSetter(accessor);
+ GetterSetter* getterSetter;
+ if (accessor.isCustomGetterSetter())
+ getterSetter = GetterSetter::create(exec->vm());
+ else {
+ ASSERT(accessor.isGetterSetter());
+ getterSetter = asGetterSetter(accessor);
+ }
if (descriptor.setterPresent())
getterSetter->setSetter(exec->vm(), descriptor.setterObject());
if (descriptor.getterPresent())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes